I’ve mentioned here before that targeted malware, often delivered by "spear phishing" carried by apparently "harmless" documents such as PDFs, .DOCs and spreadsheets rather than overt programs, can have much more impact than the raw numbers of such attacks suggest. In fact, some sources now use the term "whaling" rather than "spear phishing" to reflect the size of the organizations targeted (and, presumably, the scale of the potential impact).
This impact can be so great because instead of being distributed to huge numbers of random people, the social engineering messages are distributed to a few people who have particular influence, or access to particularly interesting and/or valuable information. Today’s Big Issue is concerned with what are alleged to be attacks largely originating in China, against various diplomatic and governmental organizations and the Dalai Lama’s Tibetan exile centres, following the simultaneous release of an article in the New York Times, a paper from the University of Toronto, and another from the University of Cambridge in the UK. At the time of writing, the Toronto paper is unavailable because of a problem with the site, but it’s currently mirrored here.
While I haven’t come across these attacks against the exiled Dalai Lama’s supporters before, both the mechanisms and the far-East connection have been known for some years, even before the UK Centre for the Protection of National Infrastructure (then called NISCC) and security services went semi-public with an advisory. And I’ve referred here before to a chapter section in my "AVIEN Malware Defense Guide" where Ken Dunham and Jim Melnick describe zero-day attacks by "Wicked Rose" and the NCPH group centred on Trojans targeting such organizations as the Department of Defense.
Even if you’ve no particular interest in the locales and organizations named in these reports, there’s an issue touched on in the Cambridge paper by Shishir Nagaraja and Ross Anderson that demands further consideration, when they suggest that "What Chinese spooks did in 2008, Russian Crooks will do in 2010, and even low-budget criminals from less developed countries will follow in due course." Here’s why I think they’re right.
What Nagaraja and Anderson call social malware – what I’d call a combination of sophisticated Trojan malware and effective, targeted social engineering – is not the sole preserve of governments spying on governments. (In fact, government contractors and other organizations with significant political interest have been targeted from the beginning: it’s naive to think that a Critical National Intrastructure (CNI) is just an aggregation of government departments.)
The on-line world is full of crooks trying to make money from some form of phishing or other forms of fraud. There are plenty of potential victims out there, but maybe not as many as there were:
So criminals may have to share smaller pots between more people.
Furthermore, random dissemination of phishing and similar scams has a fatal weakness: massive random mailouts don’t lend themselves to personalized content.
For instance, I’m not likely to fall for -any- Bank of America phish because I don’t have an account with BoA, and hopefully you won’t send your credit card details to someone who addresses you as "Dear American Express User".
But even a sceptic like me might fall for an email that looks (and sounds) as if it comes from someone I trust, and includes or directs me to a document rather than a program file. Right now, you are most likely to get such a mail if you’re working in certain sectors. But as more blackhats get into the game who are more interested in cash than ideology, the more enterprising among them will spend more time on customizing and targeting, in the hope of getting a better hit rate and higher profits.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET